> Everyone needs to be adopting a form of zero trust or trust but verify to every digital interaction and every use of technology.
I'd be interested in hearing how folks find working with "zero trust"; my employer's adoption of a zero trust VPN has been pretty bad, but I don't know if it's normal.
In my company, it's made it much harder to give decent support to users; previously, a user knew if they were on the VPN or not, and if they were on the VPN but they couldn't reach our service, that was a very rare event and it lead to a P1 outage getting an immediate response from a senior engineer.
Now, users don't know if they've passed the device posture checks or not - user plugs in their phone to charge it? Unauthorised external storage device, silently reduce their network access. So now if a user knows they're on the VPN but can't reach our service, that's very common; it's a P4 issue and within a 4 hours an intern will tell them to reboot their PC and try again.
Apparently users can't be told when they've failed the device posture check or why, for 'security'.
Needless to say, the engineers hate the much larger support burden, and the users hate the the much slower and less helpful responses.
Weren't there implemented protocols to use the devices connected to the VPN that would proof against the most common sources of posture check failure? I imagine most problems are quite trivial, like the phone you mentionned, especially if treated as P4 (there might wven already be a document with the required advice used by the interns when telling people to reboot).
No, and this isn't the concept of Zero Trusts fault. This is inexperience and/or a lack of competency from your security people and your support people. Although, more likely given that two "silos" are impacted, systemic organizational issues that aren't going to go away.
But isn't the whole point of Zero Trust to move away from a binary "fully trusted (allowed on the VPN) or not" and towards nuanced, dynamic, semi-trusted states?
i.e. isn't the fact you can be on the VPN yet blocked from accessing the service the goal of Zero Trust?
I'd be interested in hearing how folks find working with "zero trust"; my employer's adoption of a zero trust VPN has been pretty bad, but I don't know if it's normal.
In my company, it's made it much harder to give decent support to users; previously, a user knew if they were on the VPN or not, and if they were on the VPN but they couldn't reach our service, that was a very rare event and it lead to a P1 outage getting an immediate response from a senior engineer.
Now, users don't know if they've passed the device posture checks or not - user plugs in their phone to charge it? Unauthorised external storage device, silently reduce their network access. So now if a user knows they're on the VPN but can't reach our service, that's very common; it's a P4 issue and within a 4 hours an intern will tell them to reboot their PC and try again.
Apparently users can't be told when they've failed the device posture check or why, for 'security'.
Needless to say, the engineers hate the much larger support burden, and the users hate the the much slower and less helpful responses.
Is it supposed to suck this much?